The present invention relates generally to protecting electronic devices against attacks designed to discern secret information stored in databases, and in particular, to protecting an electronic device from revealing database content indexed by a personal identifier.
Electronic communication and commerce are powerful yet dangerous tools. With the widespread availability of network technology, such as the Internet, there is an ever-increasing use of online tools for communication and commerce. Each year more users find it easier or quicker to conduct important transactions, whether in the form of correspondence or commerce, using computers and other computerized devices over computer networks. However, there is always the risk that the security of electronic data that is the foundation of many important online activities can be compromised through appropriation by third parties who do not have the right to access that data. News reports are plentiful describing how hackers have obtained access to databases of commercial and governmental institutions by stealing parts of or entire databases from which personal identifiers and associated data have been obtained. Such losses are extremely costly to the institutions involved both in terms of direct losses and in terms of loss of goodwill and trust.
Personal information, i.e., information associated with particular individuals, is often indexed in databases using a personal identifier. Such personal identifiers include, for example, national identification numbers, e.g., US Social Security Number and French INSEE code, Primary Account Numbers (PAN), and identifiers associated with particular personal devices, e.g., transportation card ID numbers. Such numbers are static and are known to legitimate record preparers and record requesters. Herein, the raw identifiers are referred to as PubID.
Personal identifiers are considered sensitive for the following reasons:                The knowledge of the identifier may be sufficient to allow fraudulent use of the attached account or personal device.        The identifier can allow access to records linked to it (in fact, it is possible but not mandatory that the user had been authenticated prior to request a record).        As the identifier used by the user is static, there is a significant risk regarding the possibility of linking information identified by the same identifier across several databases.        
Typically, to protect the identifiers, the identifiers are transformed into a modified form prior to storing data in a database by the records preparer and conversely the request preparer uses the modified form to access the data. One mechanism is to simply hash the PubID, i.e.:ModID=hash(PubID)
While the hash is a one-way function, and therefore, the ModID cannot be directly computed from the PubID, a hacker may nevertheless derive ModID by performing an exhaustive search of possible PubID values that produce ModID.
To somewhat mitigating that possibility, a salt, e.g., a random number, may be added as a hash parameter:ModID=hash(PubID,salt)
The salt is stored in the database or publicly available, e.g., available on the record requester. However, even so, in the event a ModID value is intercepted or a database theft, an attacker can perform an exhaustive search on the possible PubID and ModID values to obtain the PubID value from given ModID values. While the salt adds to the time required, it is not sufficient to perfectly protect PubID from being revealed.
From the foregoing it will be apparent that there is still a need for an improved technology to provide a secure mechanism to protect personal identifiers from being revealed from an intercept of a modified personal identifier or from theft of a partial or entire database. Such a protection mechanism should protect PubID from being retrieved in the event the index ModID is intercepted, the database is breached or the database is stolen. Further, it should not be possible for a hacker to link information by one identifier across to other databases.